Description:
A vulnerability was reported in OpenSSL. A remote user can bypass certain security checks.

A remote user with access to a signer's private key can generate a specially crafted signature that is not valid but will be detected as valid. The vulnerability resides in the CMS_verify() function in the handling of an error condition with specially crafted signed attributes.

Only CMS users are affected.

Ivan Nestlerode reported this vulnerability.

Impact:
A remote user can create an invalid signature that will be determined to be a valid signature.

Solution:
IBM has issued a fix for AIX (OpenSSL AIX version 0.9.8.803), available at: